"CISA can shorten the deadline to three days in cases of high-risk exploitation. However, for CVE-2026-32202, the CVSS score was rated at 4.3, which does not meet the policy threshold for a faster patch cycle."
"There is indeed an argument that the 14-day window to patch a vulnerability that is being actively exploited in the wild is too long."
"The reason why it was not elevated to an emergency directive type patch cycle is due to Microsoft's rating, as well as several other factors."
CISA operates under Binding Operational Directive 22-01, requiring federal agencies to patch vulnerabilities within specified timelines. For CVE-2026-32202, rated at 4.3 on the CVSS scale, CISA established a 14-day deadline despite active exploitation. This decision reflects adherence to policy thresholds, as higher-risk vulnerabilities can prompt shorter deadlines. The 14-day window has raised concerns about being too lengthy for actively exploited vulnerabilities, but factors such as Microsoft's rating influenced the decision against an emergency directive patch cycle.
Read at Computerworld
Unable to calculate read time
Collection
[
|
...
]